The Web site of Lush, the natural ingredients cosmetic firm, was reportedly cracked and subverted by hackers. Unconfirmed reports suggest that customers’ payment card details have already been used by fraudsters.

According to Phil Lieberman, president of privileged identity management software specialists Lieberman Software, whilst reports of the site hack only broke on the newswires late on Friday, forum postings suggest the hack has been subverting customer payment card details for some time.

"This appears to have been confirmed by Lush, which says that anyone who placed an online order between October 4 and last Thursday should contact their bank in case their payment card has been compromised," he said, adding that the BBC reports that customers are now complaining about fraudulent purchases.

This saga is a potential brand destroyer, says Lieberman, as the cosmetics firm could have handled the situation better. One needs only read the comments on the Lush Facebook page, Lieberman added, to see the anger and frustration of the company’s past customers.

“The bare minimum response of companies who undergo similar attacks is usually to fully disclose of the scope of the breach, offer a frank apology, and provide a year’s worth of no-cost credit checks for impacted consumers,” said Lieberman. Instead, the company simply said it was aware of the problem.

"I agree with consumers who say that the retailer’s response has been inadequate,” he added. “The company should have responded earlier and with more appropriate action – especially since this organization has been in the industry for several decades and, while portraying itself as a small and laid-back company, is in reality a major chain with a multi-million pound turnover.”

Lieberman went on to say that the firm could face punitive fines from the Information Commissioner’s Office, as well as an investigation under the PCI DSS security rules form the Payment Card Industry Security Standards Forum. Whilst it’s unlikely that Lush will lose its ability to process card transactions as a result of the incident, the firm could find that its commission rates will rise - adding substantially to its cost of doing business in the wake of the fiasco.

"This looks like a prime example of how not to handle a serious data security incident. Not only has the retailer alienated large numbers of customers, but it could also pay big penalties on several fronts," he said.

"The real damage lies in the fact that the reputation of the company - which prides itself on customer service and an eco-friendly approach to its products - will take a battering. There are a lot of customers who will be tempted to buy elsewhere, and that is a stark reality," he added.

"Other firms who are concerned about their own Web site and card security arrangements would do well to sit up and take notice."